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AMENDMENTS TO THE CLAIMS 
1. (Currently amended) A method of responding to an 
overload condition at a network element ("victim") in a 
set of one or more potential victims on a network, the 
method comprising the steps of 

A* responsively to an indication of an anomalous 
traffic conditioni initiating, diversion of traffic 
destined for the victim by wifefe a first set of one or 
more network elements external to the set of one or more 
potential victims-? — diverting to a second set of one or 
more network elements external to the set of one or more 
potential victims — traffic — Qthorwisc doatinod — — tho 
victim , 

B, the element (s) of the second set filtering 
traffic diverted in step A ("diverted traffic") and 
selectively passing a portion thereof to the victim. 

2- (Currently amended) A method according to claim 1, 
wherein the diverting initiating step includes effecting 
a path of traffic that differs from a path that traffic 
would otherwise take to the victim. 

3. (Original) A method according to claim 1, wherein 
the filtering step includes detecting any of (i) a 

traffic pattern that differs from an expected pattern and 
(ii) traffic volume that differ from expected volume, the 
detecting step includes determining whether any of the 
traffic pattern and volume varies statistically 
significantly. 

4. (Original) A method according to claim 1, wherein 
the filtering step includes detecting suspected malicious 
traffic. 
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5< (Original) A method according to claira 4, wherein 
the detecting step includes detecting packets with 
spoofed source addresses. 

6. (Currently amended) A method according to e-laim 5 
claim 1 , wherein the filtering step includes detecting 
traffic requiring a selected service from the victim. 

7. (Original) A method according to claim 6, wherein 
the filtering step includes discarding traffic not 
requiring the selected service from the victim. 

8. (Original) A method according to claim 7, wherein 
the filtering step includes discarding any of UDP and 
ICMP packet traffic. 

9. (Canceled) 

10. (Currently amended) A method according to claim 1, 
domprising operating one or more elements of the first 
set at points on the network around the set of one or 
more potential victims. 

11- (Original) a method according to claim 10, 
comprising operating one or more elements of the second 
set any of adjacent to or extertial to one or more 
elements of the first set. 

12 . (Canceled) 

13. (Currently amended) A method according to claim 12 
claim 10, activating one or morG - QlomontD of the f - i ^^ 
Doto to divert traffic in rcoponoo to wherein detecting 

anomalou s traffic condition comprises detecting a 

distributed denial of service (DDoS) attack, or receiving 
a notification thereof. 
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14. (Currently amended) A method according to olaitn 12 
claim 10 , comprising selectively activating the one or 
more elements of the first set by any of (i) declaring a 
network address of the victim to be close in network 
distance to one or more elements of the second seti — aael 
■ (ii-) — doolaring the network addrcoo of the victim to bo 
far from b - ho -^ v ^e fe - im . 

15. {Currently amended) A method according to olaim 12 
claim 10 , comprising associating the victim with first 
and second addresses, and wherein the filtering step 
includes 

discarding traffic received external to an area 
defined by the points directed to the first address, and 

passing fcraffio to the victim traffic received 
external to an area directed to the second address. 

16. (Original) A method according to claim 10, wherein 
the diverting step includes redirecting traffic using 
Policy Based Routing, 

17-19. (Canceled) 

20- (Currently amended) A method according to <glaim 18 
claim_5, wherein detecting the packets with spoofed 
source addresses comprises executing a verification 
protocol with sources of the diverted traffic, and 
wherein the passing step includes passing to the victim 
traffic from a source that correctly complies with the 
handahakc verification protocol . 

31-32. (Canceled) 

33. (Currently amended) A method according to elaim 35 
claiin_l, wherein the identifying filtering step includes 

4 



P'6 629 'ON 



moiiss-uiui) NOIlVHflQ « :(I]S3 « O0C8C/;:SINa « ^ 

48048A2 

Statistically measuring any of a traffic pattern and 

volume go as to identify any o£ a source and a type of 
the overload condition , 

34. (Canceled) 

35. (Currently amended) A method according to claim 3<l 
Qlaim 33 , comprising determining any of a the traffic 
pattern and volume during a period when the victim is not 
afe-oa in the overload conditio n, for comparison with any 
of the traffic pattern and volume in the filtering step 
upon detecting the anomalous traffic condition . 

36-45, (Canceled) 

46. (Currently amended) A network element for use in 
protecting against an overload condition on a network, 
the network element comprising: 

an input for receiving traffic diverted from the 
network, the traffic comprising flows of data packets 
having respective source addresses; 

^ filter coupled &e fehe input , fefee filter 

poloot: ively blocking — traffic — originat^ fi g — ferom a oouree 
ouapoctod aa potentially caualng the overload - a onditi - oftT r 

a statistics module that is couplod to tho filter 
and that idontifico traffic otatiotioally indioativc of 

havi -ft g — e riginatod fr - Gm — s eur ee — got en t i ally cauo ing 

ovorl eaa - c ondi t ion , arranged to perform a statistical 
analysis of the diverted traffic so as to detect an 
anomalous pattern of a flow associated with at least one 
of the source addresses; 

2 filter, which is operative, responsively to 

detection of the anomalous pattern, to block at least a 
portion of the data packets having the at least one of 
the source addresses; and 
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an output coupled to the input for selectively 
passing on to further elements in the network traffic not 
blocked by the filter. 

47. (Original) A network element according to claim 46, 
comprising a termination detection module that at least 
participates in deteannining when the overload condition 
has ended. 

48. (Currently amended) A network element according to 
claim 46, conprifling an antispoofing element that aay- of 
authcnbioatco — a»d — vorifico performs at least one of 
authenticating and verifvincr a source of traffic. 

49- (Currently amended) A system for use in protecting 
against an overload condition on a network, the not work 
e- lemoR fe- system comprising: 

one or more network elements ("guards") disposed on 
the network, each network element having 

an input for receiving traffic from the 

network, 

aa a filter coupled to the input, the filter 
selectively blocking traffic originating from a 
source suspected as potentially causing the overload 
condition, 

a statistics module that is coupled to the 
filter and that identifies the traffic statistically 
indicative of having originated from a the source 
suspected as potentially causing the overload 
condition, and 

an output coupled to the input for selectively 
passing on to further elements in the network 
traffic not blocked by the filter, 

one or more further network elements ("diverters") 
disposed on the network and in communication with the 
guards, the further network elements selectively -f4f 
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diverting- to ono — en? - ■ more initiating, responsively to 
detection of an anomalous traffic condition, diversion to 
at leagt one of the guards traffic otherwise destined for 
a still further network element ("viotitti") in a set of 
one or more potential victims on the network, 

50 • (Currently amended) A system according to claim 49, 
wherein ono or moro at least one of the guards comprises 
a termination detection module that at least participates 
in determining when the overload condition has ended, 

51. (Currently amended) A system according to claim 49, 
wherein one- or mo - i ge at least one of the guards comprises 
an ingress filter, coupled to the otati g fafc^ a^ statistics 
module, that generates and transmits to a further network 
element on the network rules for blocking traffic on the 
network . 

52. (Currently amended) A oictwo^ clemcn - fe - system 

according to claim 49, comprising an antispoofing element 
that any of authenticates and verifies a source of 
traffic. 

53. (New) A method according to claim 1, wherein 
diverting the traffic comprises diverting all of the 
traffic destined for the victim upon detecting the 
anomalous traffic condition, 

54. (New) A method according to claim 1, and comprising 
learning an expected pattern of the traffic while the 
victim is not under attack, wherein detecting the 
anomalous traffic condition comprises determining that 
the traffic differs significantly from the expected 
pattern- 
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55. (New) A method according to claim 2, wherein the 
first set of one or more network elements comprises 
network switches having respective ports, coirtprising &t 
least one switch that is configured to route the traffic 
to the victim through a first port while the victim is 
not under attack, and wherein effecting the path 
comprises instinicting the at least one switch to route 
the traffic destined for the victim through a second 
port, to which at least one of the network elements in 
the second set is coupled. 

56. (New) A method of responding to an overload 
condition at a network element ("victim'') in a set of one 
or more potential victims on a network, the method 
comprising: 

diverting to a guard machine traffic destined for 
Che victim, the traffic comprising flows of data packets 
having respective source addresses; 

performing a statistical analysis of the diverted 
traffic at the guard machine so as to detect an anomalous 
pattern of a flow associated with at least one of the 
source addreisses; and 

responsively to detecting the anomalous pattern, 
preventing at least a portion of the data packets having 
the at least one of the source addresses from reaching 
the victim while passing to the victim at least some of 
the data packets from other source addresses. 

57. (New) A method according to claim 56, wherein 
performing the statistical analysis comprises learning an 
expected traffic pattern of the flows while the victim is 
not under attack, and detecting an attack by determining 
that the anomalous pattern differs from the expected 
traffic pattern. 
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58. (New) A method according to olaim 56, wherein 
performing the statistical einalyeis oomprises detecting 
any of a traffic volume, port number distribution, 
periodicity of requests, packet properties, IP geography, 
and distribution of packet arrival/size. 

59. (New) A method according to claim 5S, and domprising 
processing the diverted traffic so as to detect and 
discard the data packets that have one or more spoofed 
source addresses before performing the statistical 
analysis. 

60- (New) A method according to claim 59, wherein 
processing the diverted traffic comprises initiating a 
protocol handshake between the guard machine one or more 
of the source addressee in order to determine that the 
one or more of the source addresses are spoofed » 

61. (New) A method according to claim 56, wherein 
preventing at least the portion of the data packets 
comprises filtering out the diverted packets that have 
the at least one of the source addresses. 

62. (New) A method according to claim 61, wherein 
filtering out the diverted packets comprises discarding 
the diverted packets that have the at least one of the 
source addresses before performing the statistical 
analysis on the diverted traffic that remains after the 
discarding, 

63. (New) A method according to claim 62, and comprising 
processing the diverted traffic after discarding the 
diverted packets that h^ve the at least one of the source 
addresses so as to detect and discard the data packets 
that have one or more spoofed source addresses before 
performing the statistical analysis. 
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64. (New) A method according to claim 56, wherein 
perfotTning the statistical analysis oomprises at least 
one of analyzing one or more of netflow data, server 
logs, victim trafficy and traffic volume, and classifying 
the statistical analysis according to types of users that 
generated the traffic, 

65. (New) A method according to claim 56, wherein 
performing the statistical analysis comprises classifying 
the traffic according to types of users that generated 
it. 

66. (New) A method of responding to an overload 
condition at a network element ("victim") in a set of one 
or more potential victims on a network, the method 
comprising: 

coupling the victim to receive traffic from the 
network via a first port of a network switch; 

actuating the network switch to divert the traffic 
destined for the victim to a second port to which a guard 
machine is coupled; 

filtering the diverted traffic using the guard 
machine ; and 

selectively passing at least a portion of the 
filtered traffic from the guard machine to the victim. 

67. (New) A method according to claim 66, wherein the 
network switch cotnprises a router. 

68. (New) A method according to claim 66, wherein 
selectively passing at least the portion of the filtered 
traffic comprises passing the filtered traffic from the 
guard machine to the network switch, for transmission to 
the victim via the first port. 
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69. (New) A method according to claim 66, wherein 
filtering the diverted traffic comprises performing a 
statistical analysis of the diverted traffic so as to 
detect an anomalous pattern of a flow associated with at 
least one source address of the traffic, and responsively 
to detecting the anomalous pattern, preventing at least a 
portion of the data packets having the at least one 
source address. 
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